back to article Apple's lone wolf approach to security will bite it in the rear

Apple may have minimal market share in desktop computers, but it has dominated the smartphone and tablet markets for years without any significant hacker exploits. Is Apple impervious to hackers, or is it just a matter of time before its luck runs out? The answer to both questions is a definite maybe. For years Apple has flown …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Meh

Anything can be broken, anything can be got into, so no one system is immune. It's a question of the manufacturers taking a proper approach to the problem and the end user being sensible.

0
0
Bronze badge
Mushroom

What rubbish. It is the NT based OSs that are designed with 'security baked in' and UNIX that has to bolt on things like proper access ACLs and SEL to provide full security. Windows passed things like FIPS certification almost out of the box whereas Linux required massive changes to be made.

This is largely why Linux servers are a much larger security risk than Windows ones: http://www.zone-h.org/news/id/4737

4
17

The trend is social engineering

Even Microsoft hacks are tending more towards social engineering of the end user to get them to install malware. Much as MS is criticised for having vulnerabilities over the years, it has made MS users aware of the pitfalls and more wary of clicking Yes or OK without thinking.

Apple users are only starting this journey and Apple does not yet have the responsiveness of other software providers in that they provide security updates as and when they deem it necessary or a press release excerpts pressure.

This is not a troll, I use MS, Android (even further behind Apple), and Apple and work in information security so am aware of what fixes are released, when and what promoted the fix and more importantly, how the exploits work.

Few are now direct attack exploits compared to just 2 years ago, most expect a user to click somewhere to trigger the exploit, putting the major OS's and apps on a similar playing field.

7
0
jai
Silver badge

Re: The trend is social engineering

Rather than a trend, it is more the current fad.

As soon as a way is found to reduce the success of these social engineering attacks, then another method of attack will be chosen. social engineering attacks are only used now because previous vectors of attack are not longer so successful.

you're comment suggests that Apple users are brand new to the social network scene and will happily click and install malware without suspicion. that's not the case.

also, you suggest that because MS users have had malware installed in the past, they are more wary now? that's similar to suggesting that it's a good thing that your house burnt to the ground because now you'll be more careful about not leaving the gas on the cooker while lighting up a cigarette.

4
1

Hence Gatekeeper

Apple's front door is increasingly well guarded-the App Store and Gatekeeper systems are pretty good, sandbox most third-party apps, and give them a great mechanism for scheduled update checks as well (along with the server infrastructure to send updates out quickly...). The problem there is onerous sandboxing restrictions could soon drive a lot of popular apps elsewhere, which would defeat that advantage-they need to consider setting up a system to allow popular apps like SuperDuper that have to run outside a sandbox to get on the App Store (possibly with a disclaimer).

The Java attack was devastating because it struck at a real back door: an area of OS X Apple had ignored, and didn't seem to be able to quickly update. I hope they've learned their lesson (in fact, did you know that upgrading to Mountain Lion uninstalls Java?) but they're now a major target for hackers, and I don't think they have much experience at dealing with that. Maybe they should hire people from Microsoft?

3
1

Re: Hence Gatekeeper

"Apple's front door is increasingly well guarded-the App Store and Gatekeeper systems are pretty good"

You mean apart from all those iOS apps that got through the front door downloading your entire contact list and other personal details without permission?

Apple had zero clue about that until it hit the papers. Better to have a guard than none, but its far, far from infallible.

6
0

Re: The trend is social engineering

My experience of mac users must be different to yours as about 90% of all the ones I support will just click yes yes yes to anything flagged in front of them. Windows users that I support however on the whole don't and I often get request to look at things they aren't sure about.

1
0
Anonymous Coward

Re: Hence Gatekeeper

"You mean apart from all those iOS apps that got through the front door downloading your entire contact list and other personal details without permission?

Apple had zero clue about that until it hit the papers. Better to have a guard than none, but its far, far from infallible."

Actually Apple had a huge clue about that--it was a very well documented and understood "feature" that apps were free to access your contact list.

I have no idea how this was considered a good idea at the time of design but it was absolutely intentional. (And now we can argue about which is worse, poor security foresight or accidental security holes...)

3
0
Bronze badge
Mushroom

Re: Hence Gatekeeper

Erm - but IOS could be rooted simply by visiting a webpage....

2
5
Silver badge
FAIL

Sunoracle fail

Once again regardless of the OS security starts first with removing the malware portals that are the oracle java VM as well as adobe flash and reader. For being built supposedly to be secure the java VM generates even more critical CVEs than even M$ these days.

4
3
Silver badge
FAIL

Re: Sunoracle fail

And as for inevitable down votes from the Java programmers, yes the language is useful and has its place but the official reference VM implementation has always sucked (along with many of the API's which even SUN quickly obsoleted but I digress) and it doesn't belong on the desktop of most users.

3
0
Mushroom

No

Apple are responsible for Java updates on OS X now following the Oracle takeover. It's their problem. And I worry about this, because OS X Mountain Lion uninstalls Java when you update.

I need Java for work, but I think Apple's decision after the Java malware fiasco may be to quietly declare Java deprecated, move the less-expert users away from it, and take the position that anyone knowledgeable enough to reinstall it from a terminal window can look after themselves with minimal attention paid by Apple to providing security updates in future. I think I may be about to become the victim of Apple's ruthless deprecation processes.

4
0
Pirate

Re: No

removing java was a brilliant move. I woud say 99% of users we support never need java, so having it there just left a vector of attack. No one I know even knew it was there beforehand or what it was except a few programmers.

I need java for 1 system i use and so, after upgrading to 10.8, i simply installed it again, and am aware of potential issues with it.

why are people so bent out of shape on this? Need it , install it. Simple.

4
1
Anonymous Coward

Click yes by default ...

... is still the prevalent attitude for a lot of computer users. They are more afraid of saying no and having the message "they obviously didn't read" cause a problem then just say yes and go on with what they are doing. For years, I've given this simple security tip to anyone who's computer I have fixed. "Read the message. if you don't understand it, clicking NO is always the safer option". The few that listened I lost as costumers, because all the sudden, the computer stopped breaking.

6
0
HMB

Users don't want security

Windows NT based products have good levels of built in security, 9x was a patched on disaster, sure, but NT has always been good.

Microsoft's problem is that users don't want security. They don't want complicated passwords, they want their password to be "woofy". They don't want the screen dimming and a privilege escalation box. Hell, users don't even want to read system messages.

Microsoft know their users, so do Apple. For Microsoft they've had to learn to give their users things they didn't want for their own good.

7
1
Anonymous Coward

Re: Complicated Passwords?

It's not whether the password is complicated or not --- it's whether it gives unfettered access to the entire system or not

2
1
Anonymous Coward

Re: Click yes by default ...

Wat

You lost "costumers" because their computer stopped breaking?

Wat

0
5
Anonymous Coward

Ahem...

@HMB

"Microsoft's problem is that users don't want security. They don't want complicated passwords, they want their password to be "woofy". They don't want the screen dimming and a privilege escalation box. Hell, users don't even want to read system messages."

You bet I don't want screen dimming. It drives me nuts and is one of the first things I turn off anywhere I find it.

I am perfectly capable of understanding a privilege escalation box without it thanks.

1
3
Anonymous Coward

I love OSX and my laptop is around 4 years old. A while ago it would have been a no brainer to upgrade to a new machine. But the fact my Mac Pro won't run the new OSX even though it runs faster than my laptop is just ridiculous.

Okay, would you really expect them to write new EFI firmware for a 6 year old machine? I guess not and I would need to stick a new graphics card in it. Luckily I'm not that bothered as it's running Snow Leopard still, but it was a wake up call.

I will have to see what happens with Logic Studio and see what OS it needs and if they're going to dumb that down like they did Final Cut. But they really are losing any credibility they had in the creative media industries. The really sad thing is how crap Windows 8 will be for doing anything remotely similar like music production.

1
0
Bronze badge
Linux

Snow Leopard => Intel Mac Pro?

Have a look at Ubuntu then. Try CinelerraCV for video (some of the FinalCut clients have started to use this). Try out Ardour and a sequencer. Don't forget stuff like PD in an fx loop....Jack audio is frustrating to start with but then you get to see the Frankenstein like possibilities.

Back on topic: does a media production machine need an internet connection? If not, that is almost all of your security sorted, whatever the OS.

2
1

They shouldn't

This is probably tempting fate, but the reason for the FCP debacle was that they needed to completely rewrite it anyway-it was a Carbon app and needed to be changed to Cocoa to run as a 64-bit process, and they went overboard with the idea that FCPX could be born legacy-free. Logic Pro has been Cocoa for five years now, so no absolute need for a major rewrite.

0
0
Stop

Back on topic.

Back to the security issues. People have been clamming it will bite apple in the ass (one day) since Jobs came back. It never has, and I'm pretty sure that it is just pissed off "security expert" talking. I don't trust "security expert" one lick.

6
7
FAIL

Re: Back on topic.

Um if you didn't notice it already has, look back at flashback virus, MS had a fix for it within a day of it being announced in the wild, took Apple 2 months to release the fix for it. But in the end the biggest security flaw in the OS is the user at the keyboard. Windows users know what can happen very easy to your computer and are proactive most the time to fight it. Apple users on other hand mostly think their machine is just secure and not at risk for anything. Apple for longest time had on their website "we don't get virus" crap on their website, that is gone now.

2
0
Bronze badge
Mushroom

Re: Back on topic.

Thats because OS-X has never had significant market share. At only circa 5% it smply isnt worth it for hackers...

3
3
Alert

Re: Back on topic.

LOL...uh huh...keep telling yourself that!

So if your a hacker do you go after Windows users with all their anti-virus software installed on cheap computers or do you go after the MILLIONS of unprotected expensive Mac's with owners that actually have $$$$?

Humm.... nawwwww...I'll go after the Windows boxes where I'll be lucky to infect a few thousand before I'm found out and stopped.

Great logic!

0
0
Bronze badge
Mushroom

Re: Back on topic.

A simple look at the statistics proves that you are wrong....Windows has far fewer security vulnerabilities than OS-X yet far more Malware. Therefore hackers clearly do make the choice to attack Windows.

2
2

That article was pretty useless and doesn't have anything of value to really say. One of it's key points was over something that was a flaw with humans rather than software and largely due to the guy being a public figure with something of value that was relatively easy to take a hold of from a remote location.

And yes OSX is vulnerable to stupid users just like all operating systems. The 100% full proof system is one that gives you zero freedom.

9
2
Bronze badge

"The 100% full proof system is one that gives you zero freedom."

And does not exist.

0
0
Go

Re: "The 100% full proof system is one that gives you zero freedom."

You missed the opportunity to point out that iOS tries...

4
0
Trollface

never understood why there isnt a lot more viruses for macs

if the customers are stupid enough to buy there over priced crap, then chances are they are stupid enough not to check there bank accounts!

6
9

Re: never understood why there isnt a lot more viruses for macs

If you're going to call others stupid best not to show ignorance with your grammer and spelling.

there = their

isnt a lot more = aren't more

Or are you typing from a .......... machine?

3
5
Silver badge
Facepalm

Re: never understood why there isnt a lot more viruses for macs

You might want to check one of those helpful but somewhat condescending suggestions.

Just a thought.

2
1

Re: never understood why there isnt a lot more viruses for macs

oh noes, i have shown my lack of understanding and inteliigence becuase i cant type a correct order of symbols.

poor grammer and spelling show nothing more than a poor grasp of grammer and spelling.

1
9
Silver badge
Headmaster

Re: never understood why there isnt a lot more viruses for macs

"If you're going to call others stupid best not to show ignorance with your grammer and spelling."

If you're going to call other ignorant, best learn how to spell grammar.

Pot, meet kettle.

8
0
Headmaster

Re: poor grammar and spelling show nothing more than a poor grasp of grammer and spelling.

No. They show poor use of the primary means of communication. They also show lack of understanding of structure and logic, which can be rather important in a technical field.

It is impossible to post in a grammar-Nazi subthread without making embarrassing mistakes, so I'm just going to hit that submit button, because how ever many times I proof-read this, I will not spot mine. But everybody else will, immediately.

(And, although my grammar is average plus, my spelling is lousy)

6
0
Big Brother

Re: never understood why there isnt a lot more viruses for macs

'poor grammer and spelling show nothing more than a poor grasp of grammer and spelling.'

If you say so...but it also shows laziness and lack of rigor, conversational dullness and impeded comprehension

...pretty much borne out by your inane comments.

5
0
FAIL

Re: never understood why there isnt a lot more viruses for macs

@Mike Brown sez .. 'poor grammer and spelling show nothing more than a poor grasp of grammer and spelling' . You are correct. Grammar is irrelevant in this instance. The comment itself is sufficient to demonstrate your breathtaking ignorance.

1
1
Anonymous Coward

lol FAIL @ egal

The amount of fail and irony in your post is hilarious.

2
0
Headmaster

Re: @Kubla Cant

> If you're going to call other ignorant

others?

1
0
FAIL

Re: never understood why there isnt a lot more viruses for macs

Grammer = grammar

Or are you typing on behalf of an actor......... called Kelsey?

0
0
Trollface

Stupidity is the greatest hacking tool there is. The ‘One password to access them all’ mentality will be the undoing of the FaceSpace generation. One false move and All your clouds are belong to us.

5
0

Not recent

Imperva didn't recently highlight this trend. The pdf linked to is from October 2011.

2
0
Silver badge

Time for MS to....

enable DEP and ASLR for all apps regardless and force a separate password protected admin account with standard user accounts.

0
0
Bronze badge

Confdentiality agreements

Once you get your mis-behaving app past the Apple clerks its quite easy to do a scam.

And the confidentiality agreement probably even helps you hide away once you are found out

Lucrative would an understatement if this turns out to be true.

0
0
LDS
Silver badge

What security breaches are used for? Crackers don't need a tablets botnet - yet....

There is a misconception about attacks. Why someone attacks a device? To obtain a gain. That can be stealing your infoprmation, trying to deceive you and get money directly from you, or use your system to build more lucrative attacks, be it simple spam or hide an attack against a paying target.

A lot of the malware around is used to build botnets for spam. That's why Apple products are not interesting to criminal hackers. It's far better to target Windows PC all over the world - you don't need a tablets/phone botnet - yet.

Stealing informations - and I mean stealing more information that those mobile devices already steal and phone home because they are already designed so - is a new territory to be exploited - the more interesting informations get stored on mobile devices, the more they become appealing to crackers, and for "interesting" I do not mean some nude pics of celebrities. But remember some of those attacks may work *above* the OS - preferably through and in a browser. Moreover mobile devices have chances to connect to far less secure and reliable networks...

3
0
Anonymous Coward

Really?

"whereas Windows has traditionally treated security as a feature to be added to the kernel, rather than baked right in"

While that is very true for DOS/Win9X platform, is it simply not an accurate statement for the Windows NT kernel which has been in existence since 1993 and at the heart of most Windows desktops and servers for the last 10 years. Please do some reading!

http://www.windowsitpro.com/article/windows-2000/windows-nt-and-vms-the-rest-of-the-story

6
1
Roo
Silver badge
Coat

Re: Really?

I think people overstate the similarities between VMS & NT. Granted there are some superficial similarities at kernel level, but in terms of the OS they are nothing like. I went from VMS 5.5-2 to NT 3.51 and they were not remotely similar from the point of view of an application developer, system administrator or user. I was very disappointed by NT, it promised much and delivered sweet F.A. I suspect that if they had pitched NT as a multi-user OS rather than something that runs on a single-user workstation the security and resource management aspects would have been in much better shape.

It's a shame, Cutler & Microsoft had an opportunity to do something different and/or do something better, instead they copied an old OS and left all the good stuff behind. With 20/20 hindsight I would have like to have seen MS clone UNIX and put all their energy into making their UNIX the bestest. That was never going to happen because Cutler is quoted as hating Unix and on that basis I figure he would be unlikely to take the time to learn enough to copy the good bits and learn from their mistakes.

Mine is the one with the VAX11 Architecture Handbook (c) 1979 in the pocket. :)

3
3
FAIL

Re: Really?

Let's correct a couple of things (so far):

Speaking of Apple: "...but it has dominated the smartphone and tablet markets for years without any significant hacker exploits."

So, the fact that each iOS version has been able to be rooted by jailbreakme.com isn't considered a significant hack/exploit? Not to mention the App Store's free in-app downloading vuln? For shame.

"...Apple has long benefited from treating security as a first-class citizen in its engineering philosophy."

Since when? Likely around 2003 when iOS was being developed. The article praises Apple over the "security-conscious" OSX, which is based on BeOS (Unix variant) of which Apple did not develop, but simply bought and slapped their GUI on top. The fact it was secure from the ground up wasn't Apple's doing, but something they lucked out in inheriting.

I'm sorry, but stating: "Apple has long benefited from treating security as a first-class citizen in its engineering philosophy. This carries through to the design of Apple's mobile operating system iOS, as well." followed two sentences later by "Apple, which was somewhat blasé about iOS security early on, releasing the iPhone with serious security design flaws, has since smartened up about mobile security." is so contradictory that it hardly requires commenting. You can't "carry through" a strong security ethic, but then say that they were "blasé" about said ethic.

6
3
Bronze badge
Boffin

Re: Really?

Completely correct post! Though this being one of Mr Asay's masterpieces, the contradictions did not come as a surprise to me.

2
1

Nonsense

OS X is not built on top of BeOS. I think you mean NeXTSTEP/OPENSTEP.

6
0

Page:

This topic is closed for new posts.

Forums